feat: codex-only ctm — drop claude, daemon, and web UI (#23) #39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SonarCloud quality gate + coverage upload. | |
| # | |
| # Triggers: push to main (full-history scan) and PRs (incremental scan | |
| # against the base branch). Concurrency-gated per-ref so reruns cancel | |
| # in-flight scans. | |
| # | |
| # Coverage is collected fresh in this workflow rather than reused from | |
| # CI — Sonar needs the go-coverprofile in the same workspace pass, and | |
| # the existing CI job runs `go test` without -coverprofile. Adding | |
| # coverage there would slow every PR build; keeping it here isolates | |
| # the cost to the Sonar job. | |
| name: SonarCloud | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| concurrency: | |
| group: sonar-${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| # Sonar uses git blame for new-code detection — shallow | |
| # checkouts (default fetch-depth=1) attribute every line to | |
| # the latest commit, breaking the quality-gate "new code" | |
| # signal. fetch-depth: 0 grabs the full history. | |
| fetch-depth: 0 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| - name: Go test with coverage | |
| run: | | |
| go test -tags sqlite_fts5 \ | |
| -coverprofile=coverage.out \ | |
| -covermode=atomic \ | |
| ./... | |
| - name: Detect SONAR_TOKEN | |
| id: token | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| run: | | |
| if [ -n "$SONAR_TOKEN" ]; then | |
| echo "present=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "present=false" >> "$GITHUB_OUTPUT" | |
| echo "::warning::SONAR_TOKEN secret is not set; skipping SonarCloud scan. Add the token in repo Settings → Secrets and variables → Actions." | |
| fi | |
| - name: SonarCloud Scan | |
| if: steps.token.outputs.present == 'true' | |
| # v6 — v5 emits a deprecation/security warning on every run. | |
| # Pinned to commit SHA per supply-chain hygiene. Bump by | |
| # re-running `gh api repos/SonarSource/sonarqube-scan-action/git/refs/tags/v6`. | |
| uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602 # v6 | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} |